Unfortunately, it looks like the method is still in effect. Philip Neustrom, the co-founder of Shotwell Labs, lately found two demo websites that would pass account details if you visited from a mobile connection. By simply inserting a zip code and clicking a button, the site would spit out the full name, current location, and more data.
It would seem that these sites are grasping the information from the same means that Verizon got busted for. That presentation, the Unique Identifier Header, added data to HTTP requests from Verizon consumers and then, for a fee, would let websites see the info. AT&T has a comparable plan called the “Mobile Identity API”.
The collecting of this sort of data is not a new thing. Carriers have been making things like this for years, but the FCC arrangement was supposed to put an end to it. On its face, a plan like this may seem to have zero benefits to consumers. But, there are businesses that can leverage this information for security-related purposes. Businesses should, in theory, be able to verify that a user is where their IP says they are with data like this. If a user was asked to use a safety procedure like this, they would be opting in by default.
The problem, though, comes from carriers not supporting consent. The sites that Neustrom found provide an explanation of their functionality by pinging mobile providers and telling you the data. This process is dangerously insecure because carriers are not carrying out any kind of confirmation you’re actually opting into this process. The API for one of the sites, payfone.com, even allows consumers to look up the information by just stating the user has consented. It also allows batch lookups.
There is enough evidence that US telecom businesses are selling real-time access to customer data to third-party companies. Then, that data can be resold to other businesses or governments. This is all occurring without customers opting in.
Add Comment